U.S. Customs and Border Protection has confirmed a data breach has exposed the photos of travelers and vehicles traveling in and out of the United States.
The photos were stolen from a subcontractor’s network through a “malicious cyberattack,” a CBP spokesperson told TechCrunch in an email.
“CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network,” said a statement.
“Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract,” the statement read.
The agency first learned of the breach on May 31.
When asked, a spokesperson for CBP didn’t say how many photos were taken in the breach or if U.S. citizens were affected. The agency also didn’t name the subcontractor involved.
It remains unclear exactly what kind of photos were taken, such as if the images were collected directly from CBP officers by visitors entering the U.S. or part of the agency’s rollout of facial recognition technology at U.S. airports
The agency, which processes millions of travelers entering the U.S. every week, maintains a database of traveler images, including passport and visa photos. The database has come under fire from a federal watchdog which said the accuracy of the system was subpar.
More than a dozen U.S. airports are already rolling out the facial recognition technology, with many more to go before the U.S. government hits its target of enrolling the largest 20 airports in the country before 2021.
CBP said it had notified members of Congress and is “closely monitoring” CBP-related work by the subcontractor.
Watchdog says face scanning at US airports is plagued with technical problems